The default value for the chunk_size argument is set by the chunk_size setting for the stanza in nf. For tstats, chunk_size cannot be set lower than 10000. However, a higher chunk_size can help long-running searches to complete faster, with the potential tradeoff of causing the search to be less responsive. In such situations, a lower chunk_size value can make tstats searches more responsive, but potentially slower to complete. This can happen when a search groups by excessively high-cardinality fields (fields with very large amounts of distinct values). Lower this setting from its default only when you find a particular tstats search is using too much memory, or when it infrequently returns events. This argument controls how many events are retrieved at a time from a single tsidx file when the Splunk software processes searches. Default: false chunk_size Syntax: chunk_size= Description: Advanced option. See When the data model definition changes and your summaries have not been updated to match it in the Splunk Cloud Platform Knowledge Manager Manual. This is an advanced performance feature for cases where you know that the old summaries are "good enough," meaning the old summary data is close enough to the new summary data that its results are reliable. When set to true, the tstats command uses both current summary data and summary data that was generated prior to the definition change. This default ensures that the output from tstats always reflects your current configuration. If the data model definition has changed, summary directories that are older than the new definition are not used when producing output from the tstats command. To return results from summary directories only when those directories are up-to-date, set this parameter to false. When you change the constraints that define a data model but the Splunk software has not fully updated the summaries to reflect that change, the summaries may have some data that matches the old definition and some data that matches the new definition. Default: false allow_old_summaries Syntax: allow_old_summaries=true | false Description: Only applies when selecting from an accelerated data model. Optional arguments append Syntax: append= Description: When in prestats mode ( prestats=true), enables append=true where the prestats results append to existing results, instead of generating them. For an overview about using functions with commands, see Statistical and charting functions. Use the links in the table to see descriptions and examples for each function. The following table lists the supported functions by type of function. See Usage to learn more about using PREFIX(), and about searches you can run to find raw segments in your data. You cannot use wildcards to specify field names. You cannot specify functions without applying them to fields or eval expressions that resolve into fields. You can also rename the result using the AS keyword, unless you are in prestats mode ( prestats=true). You can apply the function to a field, or to a PREFIX() directive if you want to aggregate a raw segment in your indexed events as if it were an extracted field-value pair. For a list of the supported functions for the tstats command, refer to the table below. Description: Either perform a basic count of a field or perform a function on a field. ] Required arguments Syntax: (count | (PREFIX() | )). The indexed fields can be from indexed data or accelerated data models.īecause it searches on index-time fields instead of raw events, the tstats command is faster than the stats command.īy default, the tstats command runs over accelerated and unaccelerated data models. Use the tstats command to perform statistical queries on indexed fields in tsidx files.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |